China group may have been hiding in IT networks for five years, says Five Eyes warning

Following recent American warnings of China’s efforts to secretly plant itself on critical infrastructure for future cyber attacks, Canada and other members of Five Eyes intelligence co-operative today issued a joint advisory so firms in all countries in the group will be on alert — and other nations watching their actions will hear as well.

“People’s Republic of China (PRC) state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against critical infrastructure in the event of a major crisis or conflict,” the warning says.

In fact, it notes, the U.S. has evidence Volt Typhoon has been maintaining access and footholds within some victim IT environments for at least five years.

The partners — including Canada, the U.S., Australia, the U.K., and New Zealand — released the advisory to warn critical infrastructure organizations about the assessment by American cyber authorities, based on incident response activities at critical infrastructure organizations.

In particular, the warning urges infosec pros to watch for activity from the PRC state-sponsored cyber group known to researchers as Volt Typhoon (also called Vanguard Panda, Bronze Silhoutte, Dev-0391, UNC3236, Voltzite, and Insidious Taurus by different researchers).

“The U.S. authoring agencies have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations—primarily in communications, energy, transportation systems, and water and wastewater systems sectors—in the continental and non-continental United States and its territories, including Guam.” the warning says.

“Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions. The U.S. authoring agencies are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts.”

The Canadian Centre for Cyber Security believes that the direct threat to Canada’s critical infrastructure from PRC state-sponsored actors is likely lower than that to U.S. infrastructure, the warning says. But, it adds, should U.S. infrastructure be disrupted, Canada would likely be affected as well, due to cross-border integration of critical infrastructure providers.

Public warnings of Volt Typhoon emerged last May in a report from Microsoft. It said the group has targeted critical infrastructure organizations in Guam and elsewhere in the United States since 2021, probably for espionage. Its tools include the KV botnet for distributing malware.

Then, in December, researchers at Lumen Technologies reported details about the KV botnet. Researchers at SecurityScorecard followed up with a report that Volt Typhoon had compromised two models of vulnerable end-of-life routers from Cisco Systems in December.

Fighting back, last month the U.S. disabled Volt Typhoon’s botnet of hundreds of U.S.-based small office/home office (SOHO) routers that were distributing malware.

Volt Typhoon will compromise a network in various ways, including password cracking, leveraging stolen credentials, and exploiting hardware or software vulnerabilities. In one confirmed compromise, the report says, Volt Typhoon actors likely obtained initial access by exploiting CVE-2022-42475 in a network perimeter FortiGate 300D firewall that was not patched.

After establishing a foothold, a favoured tactic is to use common tools already on a victim’s IT or OT network (also called living-off-the-land) to hide and maintain persistence on the network. “Evidence of their meticulous approach is seen in instances where they repeatedly exfiltrate domain credentials, ensuring access to current and valid accounts,” says the warning.

The warning also links to mitigations that critical infrastructure providers — including utilities, financial institutions, transportation firms, hospitals and others — should act on.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.